lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4ea0ced79912e810e2655bf21896937bd8f8d24e.camel@omp.ru>
Date: Wed, 7 Aug 2024 14:20:36 +0000
From: Roman Smirnov <r.smirnov@....ru>
To: "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>
CC: "lvc-project@...uxtesting.org" <lvc-project@...uxtesting.org>,
	"linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
	"davem@...emloft.net" <davem@...emloft.net>, Sergey Shtylyov
	<s.shtylyov@....ru>, "zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] crypto: mpi: add NULL checks to mpi_normalize().

On Fri, 2024-08-02 at 20:46 +0800, Herbert Xu wrote:
> On Tue, Jul 16, 2024 at 11:28:25AM +0300, Roman Smirnov wrote:
> > If a->d is NULL, the NULL pointer will be dereferenced. It
> > is necessary to prevent this case. There is at least one call
> > stack that can lead to it:
> > 
> >     mpi_ec_curve_point()
> >       ec_pow2()
> >         ec_mulm()
> >           ec_mod()
> >             mpi_mod()
> >               mpi_fdiv_r()
> >                 mpi_tdiv_r()
> >                   mpi_tdiv_qr()
> >                     mpi_resize()
> >                       kcalloc()
> > 
> > mpi_resize can return -ENOMEM, but this case is not handled in any way.
> > 
> > Next, dereferencing takes place:
> > 
> >     mpi_ec_curve_point()
> >       mpi_cmp()
> >         do_mpi_cmp()
> >           mpi_normalize()
> > 
> > Found by Linux Verification Center (linuxtesting.org) with Svace.
> > 
> > Signed-off-by: Roman Smirnov <r.smirnov@....ru>
> > ---
> >  lib/crypto/mpi/mpi-bit.c | 3 +++
> >  1 file changed, 3 insertions(+)
> 
> I've just posted a patch to remove mpi_ec_curve_point and mpi_tdiv_qr.
> Are there any other code paths with the same problem?

Svace found a similar case but it is no longer relevant:

NULL constant:
    mpi_ec_mul_point()
      ec_mulm(z3, point->z, z2, ctx)
        ec_mod()
          mpi_mod()
            mpi_fdiv_r()
              mpi_tdiv_r()
                mpi_tdiv_qr()
                  mpi_resize()
                    kcalloc()

Dereference:
    mpi_ec_mul_point()
      ec_invm(z3, z3, ctx)
        mpi_invm()
          mpi_cmp_ui()
            mpi_normalize()
> 
> Thanks,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ